Hackers might have stolen IRS data on more than 300,000 households

The Internal Revenue Service said Monday that more than twice as many taxpayer accounts were hit by identity thieves than the agency first reported, with hackers gaining access to as many as 330,000 accounts and attempting to break into an additional 280,000.

The IRS said in May that cyber crooks used stolen Social Security numbers and other data acquired elsewhere to try to gain access to prior-year tax return information for about 225,000 U.S. households. That included about 114,000 successful attempts and 111,000 unsuccessful ones.

The agency said Monday that further investigation showed an additional 390,000 taxpayers were potentially affected, including about 220,000 accounts where hackers cleared an authentication process and about 170,000 failed attempts. The earlier investigation covered the period of February to May. This time the agency conducted a deeper review that looked at data from as far back as November 2014. The new revelations are likely to add to the beleaguered agency’s public-relations problems, at a time when many lawmakers — particularly Republicans — already are unhappy over its performance on several fronts.

“Today’s revelation that the IRS didn’t fully understand this security breach for months is not confidence-inspiring,” said Rep. Peter Roskam (R., Ill.), chairman of the House Ways and Means subcommittee that oversees the IRS. Senate Finance Committee Chairman Orrin Hatch (R., Utah) termed Monday’s announcement “deeply concerning,” and said the agency’s inability to block the attacks “risks further fraud for hardworking taxpayers.”

The breaches occurred in an online application called “Get Transcript” that allowed taxpayers to obtain prior-year return information. The IRS shut the online system after the hacking came to light. Government investigators previously said they believe many of the attacks came from criminals operating in Russia as well as other countries. They didn’t elaborate Monday on who they think was behind the attacks.

“The IRS takes the security of taxpayer data extremely seriously, and we are working to continue to strengthen security for ‘Get Transcript,’ including by enhancing taxpayer-identity authentication protocols,” the agency said in a statement. Prior-year tax data can be highly useful to crooks in filing fake tax returns that seek fraudulent refunds. The IRS faces an epidemic of fraudulent returns, with officials estimating the government paid out about $5.8 billion in phony refunds claims to identity thieves in 2013 alone.

Only a few thousand of the affected taxpayer accounts have been the subject of attempted refund fraud so far, IRS officials have said. But IRS officials believe hackers in many instances were gathering the information to carry out fraud during the 2016 tax-filing season. The incidents echo problems earlier this year in some states with fraudulent filings, and underscore growing risk from cyberattacks for governments at all levels, as well as for individuals and businesses.

Intuit Inc., the maker of TurboTax software, suspended the transmission of electronically filed state tax returns for about 24 hours earlier this year after a surge of fraudulent claims for refunds. Some of the false state filings used information from 2013 tax returns.

At the urging of IRS Commissioner John Koskinen, both federal and state tax agencies are working with representatives of tax-preparation companies to scrutinize every aspect of the filing process and share information so that all can respond more quickly to scams. But the crooks appear to be moving quickly too, as the new attacks have showed.

While the IRS has long furnished paper transcripts as well as paper copies of complete tax returns, the fully online version of Get Transcript dates only to early 2014. Mr. en then touted it as “a secure online system that allows taxpayers to view and print a record of their IRS account…in a matter of minutes.” Several types of transcripts are available, but in general they show summary account information for the current tax year and three prior years. Many lenders require applicants to submit one of the transcripts to qualify for mortgages or student loans.

The IRS has said that to obtain taxpayer information through the system, hackers had to navigate a multistep authentication process requiring personal knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address. The process also involved answering personal questions such as “What was your high school mascot?”

To get through the authentication, IRS officials believe attackers became adept at aggregating personal data from multiple sources. “It’s another reminder that we as a nation have been completely outgunned on cybersecurity,” said Neal O’Farrell, a cybersecurity specialist with the Identity Theft Council in Walnut Creek, Calif. “Too often, organizations don’t know what they don’t know.”

Some tax preparers are frustrated by both the growth of tax ID theft and what they see as delays in resolving the issue. “It seems like everybody and their brother is having a problem getting tax ID thefts straightened out,” said Oscar Pressel, a CPA in Crofton, Md., who prepares taxes for more than 400 clients. Mr. Pressel said that this year about eight of his clients were hit by tax ID theft, about double the number in prior years. As in its initial announcement in May, the IRS said it would notify affected taxpayers and take other steps, including offering free credit protection and special identification numbers to reduce instances of tax-refund fraud.